The present invention relates to a device for handling sensitive data and a method for securely transferring sensitive data between at least one processing unit and a memory device. The invention further relates to an integrated circuitry with an integrated memory area for securely storing sensitive data. Moreover, the invention is directed to a gambling machine processing sensitive data.
Data security is an important issue for many aspects of business, particularly as it relates to stored proprietary or confidential data. For example, computer program source code stored in flash memory (or other form of electronic memory) can be valuable proprietary information. Another example of proprietary information may be book keeping data of a gambling machine.
For example, a microprocessor system may be implemented as a system on a chip (SOC) which comprises a processor that accesses both on-chip and off-chip memory. Secure computation can be achieved if the software is secure and the associated instructions and data remain entirely on-chip and are not exposed to external view. But once data is transferred off-chip, it becomes vulnerable to attack and the security of a given computation may be compromised. For example, an attacker could obtain access to an unprotected off-chip memory and examine the stored data, possibly detecting secret information. The attacker could even modify the stored data and thereby subvert an otherwise secure computation.
To avoid unauthorized access and/or manipulation of data stored in an external memory, the data may be handled according to a cryptographic method.
Cryptographic method and systems may be used to protect state information in a personal communication device by securely storing the state information in a couple of ways. One way may be by writing a snapshot to the state information and computing its checksum, e.g. by using a one-way hash function. The result is stored within a tamper-resistant memory location of the device. Therefore, if someone tries to change the state information, the checksum of the result will not match the checksum value stored within the personal device. Another way may be by using a monotonic, persistent counter within the device, every time there is a state change, the state information is stored along with the current counter value encrypted using a device key. Thus, it may not be possible to change the encrypted state information without the key.
US2003/0079122 A1 discloses the idea of using an external tamper-resistant storage device to store important state information. The idea of authenticated counters is introduced. The said patent application US 2003/0079122 A1 discloses that an authenticated counter can be implemented in an external tamper-resistant security token, such as a smartcard, which can be used by the secure processor to integrity-protect its state storage. To make this work, the secure processor needs to be able to authenticate the external security token. For this purpose, the patent application US 2003/0079122 A1 discloses using a public key infrastructure (PKI).
However, a public key infrastructure is rather complex to set up because it involves coordination and agreements between device manufacturers and manufacturers of external security tokens. It also imposes an amount of processing load onto the external security tokens or memories.
State of the art gambling machines are working with money. Therefore, a security system is necessary which should make it impossible to manipulate book keeping data for personal advantage. The security system should prevent an influence to the gambling process which harms providers of gambling machines.
Book keeping data should be stored in an external non-volatile or battery back-uped memory due to the fact that after an unexpected power down of the system the gambler wants to keep his booked money on his gambling account and does not want to lose it. To avoid that anyone can read stored data in that external memory and manipulate its content, cryptographic method devices as stated above are implemented in gambling machines for essentially protecting memory content. However, none of the introduced devices and methods achieves satisfying results for protecting sensitive data in gambling machines.
Document U.S. Pat. No. 6,209,098 discloses a circuitry implemented within a multi-chip module comprising a first integrated circuit chip and a second integrated circuit chip coupled together through an interconnect. Both the first and second integrated circuit chips include a cryptographic engine coupled to the interconnect and a non-volatile memory element used to contain key information. These cryptographic engines are solely used to encrypt outgoing information being output across the interconnect or to decrypt incoming information received from the interconnect. This is provided so as to prevent fraudulent physical attack of information transmitted across the interconnect.
There is a need to provide for improved data security of stored data by addressing or advancing one or more shortcomings or disadvantages associated with the conventional security techniques, or to at least provide a useful alternative to such conventional security techniques.